● 08.02.23

Gemini version available ♊︎

●● Mozilla Firefox 115.1 and 116 Released With Two Microsoft Windows-Only Security Issues Plugged

Posted in Security, Windows at 12:08 am by Guest Editorial Team

Reprinted with permission from Ryan

Firefox 115.1 and 116 Released With Two Windows-Only Security Issues Fixed

As usual, a Firefox release is out with serious security vulnerabilities inherited from Windows in addition to actual bugs in Firefox.

This is a common occurrence because Windows is badly designed and adds vulnerabilities to everything that runs on top of it.

CVE-2023-4052 creates a hazard using the NTFS version of symbolic links and a hole in Windows UAC (discretionary access controls).

CVE-2023-4054 is yet another Windows MetaFile-like bug that can be used to run malicious code without any warning. █

>

●●●● CVE-2023-4052: File deletion and privilege escalation through Firefox uninstaller

>

Reporter ycdxsb Impact moderate

●●●● Description

>

The Firefox updater created a directory writable by non-privileged users. When uninstalling Firefox, any files in that directory would be recursively deleted with the permissions of the uninstalling user account. This could be combined with creation of a junction (a form of symbolic link) to allow arbitrary file deletion controlled by the non-privileged user.This bug only affects Firefox on Windows. Other operating systems are unaffected.

>

>

●●●● CVE-2023-4054: Lack of warning when opening appref-ms files

>

Reporter P Umar Farooq Impact moderate

●●●● Description

>

When opening appref-ms files, Firefox did not warn the user that these files may contain malicious code.This bug only affects Firefox on Windows. Other operating systems are unaffected.

>

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.

Permalink > Image: Mail

 Send this to a friend

----------

➮ Sharing is caring. Content is available under CC-BY-SA.